Show HN: Wallarm – Protect your web apps or APIs with fast Nginx-based instances

TLDR: proxy your traffic through a locally installed secret blackbox, after which it is &quot;100% protected&quot;.<p>Not found on the website: non-buzzwordy description of how this really works and what makes it better than the other gazillion security products. Show me an example of an attack you stopped. I realize the website isn&#x27;t selling to engineers, but still.

One may also want to see NAXSI [0]. NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX.<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;nbs-system&#x2F;naxsi" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;nbs-system&#x2F;naxsi</a>

MVP it may be, but taking pictures of your screen with a camera creates horrible artifacts. Why not use screenshots for your banner images ?

Guys, here is a story of how we got the the idea of Wallarm<p>We started as a team of white hat hackers. Ivan (CEO) is a respected researcher known for his articles and talks at international security conferences (BlackHat, Hack In the Box, etc) on web application security.<p>Everything started with boutique security consulting company founded by Ivan in 2009 which with time became a synonym for the &quot;best security audits for web applications&quot;. After each security audit had carried out we got a simple question &quot;Good job, guys, but what&#x27;s next now? We&#x27;ve fixed all the vulnerabilities you found. The only problem that we deploy code five times a week — and each (!) update might have new security flaws. We could be hacked again anytime!&quot;<p>So &quot;What&#x27;s next?&quot; We didn&#x27;t know and were looking for the answer evaluating different products pretending to secure modern web — with orchestration by DevOps teams, continuous integration (CI) with frequent code updates right on production systems, complex Single-Page Applications and REST APIs, etc. And we failed. Every solution was broken for the same reasons.<p>1. They are not ready for continuous integration. Frequent code updates results in false positives when legitimate users got banned. The only way to avoid this is manual&#x2F;semi-manual reconfiguration after each code release.<p>2. They don&#x27;t scale well and are not ready for orchestration by popular DevOps tools (making themselves enemies for DevOps teams).<p>3. They overwhelm users with senseless notifications about thousands of attacks (that obviously has every website!) — without saying which of them are in fact dangerous and targeting security flaws of protected application.<p>4. Finally, none of them help to find vulnerabilities which are the real reason of data breaches.<p>So we ran different experiments by ourselves and step by step came to the idea of the product that we wanted to see on the market and recommend to our customers. We started working on it, released first MVP and instantly got positive feedback from all those security teams.

I feel sad when the website of a security company (especially websec) makes browsers block parts of their web pages due to cross-origin issues.

Starting at $1000&#x2F;mo

For that money you can get IBM datapower.<p>Which is an all in one very powerful solution... With near wire speed transfer.<p>I don&#x27;t know why I should get that?

Sounds really similar to Signal Sciences ( <a href="https:&#x2F;&#x2F;signalsciences.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;signalsciences.com&#x2F;</a> ), down to implementation-level things as well.<p>hkr_mag or others, what differentiates Wallarm?

Looks very inspired by VeryNgix extension<p>Same features but open source [0]<p>[0] <a href="https:&#x2F;&#x2F;github.com&#x2F;alexazhou&#x2F;VeryNginx" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;alexazhou&#x2F;VeryNginx</a><p>Demo dashboard: <a href="http:&#x2F;&#x2F;alexazhou.xyz&#x2F;vn&#x2F;index.html#" rel="nofollow">http:&#x2F;&#x2F;alexazhou.xyz&#x2F;vn&#x2F;index.html#</a><p>User: verynginx<p>Password: verynginx

A security company where most of the employees uses their personal emails on the VCS, I&#x27;m sure that&#x27;ll be just great when one of your employees reuses passwords (which they do) or otherwise gets hacked.<p>But hey, I guess that solves all the complaints about secret black boxes.

Hey guys, Stepan and Ivan, co-founders here. Thanks for all the feedback! Answering all of this now.

Normally the person showing off something with Show HN also comes into the comments but I haven&#x27;t seen anything. Is this yours, hkr_mag? Even one of your competitors showed up in the comments...<p>Some feedback (edited to add stuff twice):<p>- The pricing is confusing. The front page shows me how to install it and run but then another page mentions a free trial? Is that&#x27;s what I&#x27;m doing when I install via apt-get or run via docker?<p>- What&#x27;s Wallarm Cloud? It appears to me Wallarm is an nginx module that &quot;protects&quot; stuff, somehow, and for some (maybe all) things it sends them to the Wallarm cloud for analysis. What is the Wallarm Cloud and how does that protect all of my data that it&#x27;s receiving? What if it&#x27;s receiving HIPPA data? Is it stored &#x2F; cached and if so for how long?<p>- When attempting to register I think it&#x27;s best to provide a verify option for the password.<p>- When attempting to register I keep getting errors stating my password is too simple. Even after 50 characters. I assume this is doing a check for symbols or something but allowing any character and then me putting in 50 characters I think it&#x27;s safe to say it&#x27;s no longer &quot;too simple&quot;<p>- You&#x27;re using CORS but it&#x27;s a subdomain; you don&#x27;t need to do anything with CORS at all unless you really want to (but who wants to preflight <i>every single request</i> if you don&#x27;t have to?). Just set the document.domain to the same domain and you&#x27;re done.<p>- I think you can make your registration services flow a little better. Since it makes a request to get a token from the backend and it provides nothing with the request (minus the session id cookie) then that means you&#x27;re managing session state on the backend so why are you also managing state on the front end? I get the idea behind the token but you have a token <i>and</i> a session id and you&#x27;re using token more like a session id as it doesn&#x27;t appear to change when I make calls to it.<p>- Why do I have a &quot;permissions&quot;:[&quot;admin&quot;] in my profile? :)<p>- Clicking on &quot;Profile&quot; takes me to a profile page, it downloads all of the resources and makes REST calls, and then it redirects back to active. Why not do this server-side so it&#x27;s immediate and less bandwidth intensive? Alternatively if I haven&#x27;t activated and I entered the wrong email address or other information now I can&#x27;t update it at all. I have to create a new account. I&#x27;d suggest letting profile information be updated.<p>- Seems too black-box-y to me. I&#x27;d like to see something more to the point. Then again I&#x27;m an engineer but typically for products like this I&#x27;ve found you need at least some engineer buy-in to sell it to a company.

Only $1000&#x2F;month&#x2F;node! What a bargain. :)

I have never heard someone pronounce nginx &quot;n-jinks&quot; before like they did in their video. It&#x27;s a minor thing, but it hurts their credibility in my eyes.

Wallarm looks like a fairly good WAF, and focused on developers &#x2F; DevOps. We (<a href="https:&#x2F;&#x2F;www.tinfoilsecurity.com" rel="nofollow">https:&#x2F;&#x2F;www.tinfoilsecurity.com</a>) have the same focus, but are focused on helping you find and fix the vulnerabilities rather than cloaking them &#x2F; trying to catch them being exploited in real-time.<p>&quot;Detect anomalies and block attacks with no latency&quot; seems hard to believe - minimal latency, maybe, but none?<p>On the other hand, good luck to Wallarm - there need to be better WAFs out there.

Isn&#x27;t show HN meant for personal projects rather than companies?

I really like this idea and I&#x27;ve started using Wallarm.<p>- Integration is amazingly easy if you use nginx... basically an apt-get.<p>- Unlike most security packages that just block certain ports or apply predefined rules, Wallarm feels like I have a dev-ops team looking at traffic patterns 24&#x2F;7. They&#x27;re always learning and they identify when things seem irregular.<p>This is definitely the next level of network security